Network Security & Hardware - eWeek


Battery 500 Project Charged Up over All-Electric Cars
Charting the Final Frontier--Google Maps for Indoors
Get Smarter Technology on Your Mobile!
  Network Security & Hardware


Microsoft Confirms Critical Win2K Flaw



 By: Ryan Naraine
2005-04-21
Article Rating:starstarstarstarstar / 0


There are 0 user comments on this Network Security & Hardware story.


Rate This Article:
Poor Best
A security research outfit publishes details and proof-of-concept exploit code for a serious flaw in fully patched Windows 2000 systems.

Software engineers at Microsoft Corp.s security research center on Thursday confirmed a potentially dangerous security hole in fully patched Windows 2000 systems that could put users at risk of malicious hacker attacks.

The Redmond, Wash., software maker was forced to go public about the unpatched vulnerability after a private security research company posted details and proof-of-concept exploit code on the Internet.

According to an advisory from Israels GreyMagic Software, the bug was detected in Windows Explorer, which allows users to navigate through the Windows file system by default.

GreyMagic discovered that the preview pane, or Web view, in Windows Explorer could be targeted to launch malicious code on machines running Windows 2000 Professional, Windows 2000 Server and Windows 2000 Advanced Server. Any other application that uses the Web View library under Windows 2000 is also vulnerable, the company warned.

A spokesperson for Microsoft downplayed the risks, insisting that "significant user interaction" would be required for an attack to be successful.

Resource Library:

However, she said Windows 2000 customers concerned about the warning could disable "Web view" by selecting "Use Windows Classic Folders" under the View options of Windows Explorer.

In an unusual move, Microsoft program manager Stephen Toulouse discussed the issue on the MSRC Weblog and recommended that customers block SMB (Server Message Block) communication at the firewall to minimize the risks.

Toulouse said the SMB attack vector would mostly likely only affect customers running Windows 2000 on an internal network. "Windows 2000 customers connected to the Internet would be at reduced risk from an attack," he said.

"Microsoft will continue to investigate this and once that investigation is complete, well evaluate the appropriate action to take to protect customers. This may include providing a fix through our monthly release process or providing an out-of-cycle security update," Toulouse said.

Enabled by default on Windows 2000 systems, the preview pane in Windows Explorer displays information on some types of files when they are selected. It is implemented via an HTML resource file (in webvw.dll) that examines the currently selected file, reads its metadata and displays useful information about it, GreyMagic explained. The displayed information includes the files size, attributes, modification date and author.

eWEEK Labs Director Jim Rapoza says Microsoft needs to release a service pack for Windows 2000 similar to XP SP2. Click here to read his column.

When the preview pane outputs the documents author name, it checks whether the name resembles an e-mail address; if so, it transforms it into a mailto: link in the pane. "The transformation into a link does not filter potentially dangerous characters and makes it possible to inject attributes into the link, which enables execution of arbitrary script commands," GreyMagic said.

The company said script commands injected in this manner will execute as soon as the malicious file is selected in Windows Explorer and will be executed in a trusted context, which means they will have the ability to perform any action the currently logged-on user can perform.

"This includes reading, deleting and writing files, as well as executing arbitrary commands," GreyMagic said in its advisory.

Microsoft criticized GreyMagic for publishing proof-of-concept code alongside its advisory, arguing that such a move could potentially harm computer users.

"We continue to urge security researchers to disclose vulnerability information responsibly and allow customers time to deploy updates so that they do not aid criminals in their attempt to take advantage of software vulnerabilities," the spokesperson said in a statement released to Ziff Davis Internet News.

Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.





  Reader Comments: Microsoft Confirms Critical Win2K Flaw
>>> Be the FIRST to comment on this article!
 

 
 
>>> More Network Security & Hardware Articles          >>> More By Ryan Naraine
 


x}r۸j9km]mGJɖkŶ,%^:U*$)Rl+s'ˮO7t$dS%lݍFޛ$\i9#r3k}jxޢ>? ?Xf0TE[ \Ϥ^-Am۟@Ou 5rj9:ruz=>;|9|@D%cjAM&#{Fm_&2z5ܯ3 fE1;&}9B ~5{sr!%2}<K;="?+B#]2IXߦðuɷ>S=2pYBT!|DJ%h!!Qus_?=~#f^B(ƻF {iZGd`vu=yͰ { /\1r.b,{{w4ɟM*6 L=TVE;&3Ãtf?Dk N\^ Zˆ螥ɧ5u5I ` 1l{`2E%$7 .lq_-%0/<{m6) |@ɤ:!Zda-}9e̛ f4öCٰ5T:Ԫr\ˇJy+^yxx?X>-ip'oZ j^v9~]`v$CM9둫yP}  od}+5UJ`Z. Ǔ$_c::fv}j\"ty[n9,4E; KHr SdXIC/YTU9Df9iNzMҺnoNOnڭ3d̲5<JEӀ Zvb"?[W۳5mٹ풳 i>O[]dO#t2 +?9VV'_ZUCp=['{uH}z>5401\]Z-Jj-2OiuxE$Y-r$:]^Czj ݖUB_ȻHȏKŗG)H73ǚ -md©$|úzNԎR!o4+@_x0Nu{fr@kFPYX`6R\ 9lbsv!fBy+M)z@@ZR~nV(U7$ٛ"G;ž_"ʥep1S{.Ӱuarq ZoV͉*]XYujZlE?´;\gT?k5znZMҽ\u;6޵`Ub}PhvZM]qsuTSt*t n|5"o+rϏMf[ԑplP)uuvL>NP}2=jZIm;Ni(|I}Ѧ>R?[iH'0iݣn]=&tfiXŞ+LPZi`IE 6]LR}>tqHhS0<zw0[[衟#j{t t,/{@`\@8)HpyY?g>o ߣ5#z[-[X6x G͙A }RP|#sZ( w^`z""D% T h4A'EENNAww$]I+TbD8JnOu$]#J"ڹLX*QY,p[/ ͙JRd0U Q򍜈="`&Qea*0pRx5Vn-`oʱ& 2,XCtH{2l4` [N@:4$f.*d٤9`G,&4ğ;n']׾dVV̚3=S.ƃ5œ{nlRr`81 0:|Ch2!iMYgԶ'tuKtu`|d:Nk'p=m~|YFpIN3_iy>g~9厬m[4@>J|z[.z: %r% 5kb$T`CfL <Д /+b*q (>uzS\Oō$ ЊO}?ٲJb-Yֽk%fcP*uR@_&&ےx A-ʘŗZZG"JMP>V "Cɣ($me6L6xGwa=0_ܰ킡K*+G,m+IZObsǖ@6@@whϦ`:3[1P.m^gXީ;}6xISOXdt {,Sp>hBJeHw:vM c7,hZUgm1JL=PF˸Fqm@XĞͧ8]%W=L-Y\.Vݳ°#]5ޅ5f"@0o"=QN4S в`ouqAʫ%uf-0א~3KJAUcϓas@M$ g2,rmٔAu؜;s4Sj%ri9hzh_G3k@b4"T2paLH7] eaðyU_z;6k#Xh;pYb~& >Bkd&B [Ow;$!WTnLb ֚΄Ou#_gрap:pHE&A|Zkhp B@U.(L19r+b*X[8P:T#;$&6t݁Ē:,C.5fPÍ{c?4]ef,Aw@{BRT j%&ZYUKZTpW`qGyWG"MOH_㬯8^~b-0,}Rһ~^};݁\rϙ|b + '3E<& {HZet%_(ƤOMqс,`BrUTՑn vO g: C\4<`c(z`0dmmRs޹m?Q]U᧘Ԉ@|0+9!Nf kkJ$?[éC65Ma&FžJZPk{nxE0Tksfv1FcwŎΒZY f~ q?Lq㉉V}X@&lڊ6͐*8e$LbRM-e+ "l>7.ýx[|8ݙ'gk{J}6Uk[; Uȭ>qd&F&оȣ騫VJy0YhRYpg#HY9޺V:9iz6aVA~Tiv7oQ:\ 5-У'{TnUcG*|:vi 1vM0\}lĝAkF D;3lC &BJAy^It\Ů vx+mلydE]^|pFNyX!6 kq(n|""#^ xjs~G0.lq)%\.Ui {2u9pdZ;iJ3ߪ郦LGnR X%7:^iu[M$}節e:T#UX)TԒP3YTAtUY nb˨eMPJpfX$$\\cz3Ή(d(Q멞aD@}R +nQ/ ew>]:Q?PG# }fR5vļusXd;Ͳ6keD@X)J7eNV*U%P-HjYt~(0|ȈKXVnL&2O%WW\5 qѿ$ϟ}`>t6EM+v@l+J9ww\(2M5 Gt@ 0\' WeR8p,g$ ,$%,tF<&MMx)c K RsɖBxK(T xϰLty' eVqm?s<cSW׏ZU}$}QLMޟ9 #{?Jn)hl/sՓOGxńKuϥ_w^suDDyyuG߫KKxliïR)XwpՔڗw-~.z˾HM$(Xp_4qO'^y{{h6W6|v:Q 2lO"r:e]J|Isѹ͎E%%{u;jtK#ȃ!yN/ZFSLo2X$Czz0K#f/!B2.f3 /s>֒\zF_ɾj,6Aϐa6(Z4Gc)ފ8 V`!w1d LRc (ʱ=`=`Vf{};N .FOdBAnp+z!NUHE*4ДKe=ѓ:)KnSo2MDYkNEh=O[?G chGa(qGɜ $z`eنnKlx4aRL锐'.?|Nhk'I^VR6T$4%!44LNbC]F+Åg ҽn\mOpVHp._xvImK$0k2kt85(^qNHIJiIw3DJ^KjpVKu^Ǣ?<7Gs`NSx_GM>xuS意G 95Gy T:Wvku,daSjoc_ ?--8tǠzRK1&$Z^T@**sᔤW Xd17K0d&'zvA J3`ȞxqGWbR#Q>]bwP{_xŞYiIU/J\-"PnZZ|W%0.րWC3S 'HtDnT&N%NK&b6F05&:8qãJSDoK_ H?[áfBLFY_m} 9?uFqRBie.!MD,' [7EGn& v@Zfg'P]bW _&xSJJr&J5!~ĶrczD l=g,md۪aZ9>fN zs$qxRHa}d6BxX _?sE@ox" Q>xJ4%S\y Oxi9+TUR˯g2M{q~x"A_k(8np3bT(@kep?I ;!Ń/CH#LYΡZa[-{+,[UۉWʒRTm[^)6=)5<;j KQۆ 5lOʶc^z1oJݱ5ecάG ,P) ;/fpF4¡34¡}ԓR)ןNVMR_&=Ǘ!znSoxfP P$ N/[[ߥ ̗홧m\u%XO>#ZNֳ KػYx-P1o4U :>`\;eN5NPq("~~~~5z>븗w? /]ΥIuyC1Q59Wޮ.=u&m6F㣽@Z0yC`UW7K9$p%3IbA9֍$j"%yM4aْom_Lk<2g%^0*o;rԹԠ>Kی:vg@gXTX]Y(R+$#P"XDFX附i#o/K ZBdekJx] ]]}c.t]ϗԂZ,bgIMg]>aJ% 7Q_xo?Ė '%Zf,*o4г-TCFI=N.xR`߮aG ': [@,Q3>N'ƕ_rwU)H[rtn6R z8"v]%oD3 VնK7֭k (X"Pr <]! ׮mcxxXa-l` $lsZ`꛷/I\/AK@Y!1==== =ŪRվmhFZ.]Cφ ^>u6+&{/l]2)f+/L@"K٬ ~i4w½_" E:,vDbtT&WH`'o:9oUk@CQ?/@Q[%{9SP( (E(̰?.3rуki˿ۂX@C#} |s<SQ'Z߶w(A9 >`CMхK3T}.wI.I 6n_}s푻dV ysژyOn Q-G$:z"^O!}~&U.b{  <'^R,?! ^ j{M v-C.cS(\ vNI;ңV6gw$a_g˛UM.cʸiԝ\-pEbBa/Ԕ00ǼȗɈצ:%账f5NMdMymG$5?h۾^c+@m\ն-0VFEQZO0m-m,щ{O*eX -}-?c6ֽf/:y{¡YKj|ubMΨ$t86?%sSD 2%Jf64Lh` >#-'?=@5>f*seνk0/<^"Ҷ'̄Xշ8 50̫հod=I^F [-{8R[~xv1L"C145Qқ粍>J >MAlű?yxO];^ K&5\HFpxAiLʃa°ES,Y:K11\RAr\.he,zVdqK2&/ #zЩ>3&^ME*^0HR&⼢@JVH4i3YxCQ58uMllN!}VC `5olz^C쪫M` oJ.қ`(Cg$r&U"cm䪅J~bO4Cy^ ϢtyӓGV5U*5YQe#Ur z,?@B .kXGl7̋1K%XStϞc);]#=ҳ&Q&Z:<}Q-DR!&R<59'-/(qMl)m54qAcJOu&hYп(E{wi/1~J+k>=̜i҉F;6vCWѵATJ{3EJ-h>#Թ< s?bu{ι0uaeYH 6Ƕl[va|DuvH1tNuGw,@8(p1Na8TJ筄_[Gx}#rcF[q{Za`j5,?Lt1Y71儔JzN[ő1iL(ZxeHbLxa*+G2B1˪M;InP}wY?e=` ' 4u/xyB G>Nl~'&}*2;-Rleo7٤'K8`"wA>po4xUPʕU+&=wӨn3l@"r? I:NU~^P_ԓG)׀bU"Ba=X *>IoH!H]U# `xI(zzh_mnaC#g-d!`<,;p3/gq>9 CO 2+YסB8!ir0Iݾ`?À3{JZ"cR1@Q>~2&gV3!"&Ls6@@P0H7~P5E) c36#&|b怜Al/u z 9 ;k&(?-p E {GLƙ;fQWt_$RE T&}nAm??'~eML)awSa/xCs]F"Sg8dzƸ+˴F'Ll0̪k;Ϋ}-AG,G71=` ?vk_.usx\jH:cPB<_Dy ka]?[/$`3W VjE)OBӾRs]j)q^]y}ɠYV^*vӄ^I+\A] / PIZ  W}O11O=lFLrY4MEN7^sENZ[J5%ۼW6Lg(P]5.[NQʉhSgĵ,"^ûHKvE Ccqq^ VwO|ݻ@)Qe;ʋ Q/Niac~l޴]-Zq-'>;eI5%uԦF h5zQ똪1c-W܄qP "v[\rФo%u}FPkF ߬/?m62;P(GN/o S(?]_~9ˠ;֗sv3Wo73ʡ}Qog}7W(֗_ 0/3_f^fsAK2K Oѫ >Bnjs(?(#/3a|2 *C~`2Ưd:_::?on2 w3 { ׇ }}̠-ff--m%:Iʘ!gk\8=Rdr ~)A_d_y*%YF!g賲+z'_˰Πs32Я!eߧodnleھ>4 aqʍz^S_xښ薽pۭ]hp_/%^a/ ^敽I<"xEǹW4<< X1rnm0zs"X5½p'g|17 }^f1>?&vt{r.v뻸)nד pKSG0%nsOkr>u"[~|^YپGhߊD,z e%Hi0\n9>|#xC/+/g5N?ܴ{Һj\Z3 쓭σ>'Aͷ&DV)pF F,RK|c ,>N)hعjxo.1"uG`f߰- t6EM++J9wwrDa3""CQL`FTMVYI2ZY9,+PPफ़h[iRo視 yVi8an%[C Dk(xYxscDvy_|mBfp0l{|y ގe@7 J,{3ŨـD@Sfŝ}g4mcq) ?`-kD2Yhp䃿 tr81pgi;Ìs,acX4@{4Hl9SYF  %aOR4\șP=w7[p.cc6Hm\wrlCknܙ%;O_F26Xq?Ih"v]!6 R Ň%13{diSlt> a0GVbgHIأ_BDOv&nh7^ \ɡ=Dw郧rS+.Ġ/2>g'4WB&w* Up6a8Yzt>\&Q]pW, {+2‡_i 괯McA۾&]מ V|?>N@U}ˆ 1,ԟ1"^!]Mav; ]%5,l$9=ASh4WϛW5EX˰!MzOmw9=vļKllm{Xj9#Sc? `nwf9cˎ  Mm'#8C>ظlQ޺%76x}Ҁ O1Su .Ыv>cx Lww#*1ue|nHHU֧f2{M:з 57`([| ӽy^ˍ_d%\#d<l[ +"ۂ Kmˤ6q¥"UXJMX,8. ktm9Qh~0r"#<[_ڵlAt=] vE hMg+_2qEnBVJrX}P/):OOgsZ%n_Hv"i,{ QFbFA8u vKѪ V7"60ޏwPRl@ xS az \bXe܄uF.E]hT_ !**c 9/ߵc3qݼ®"vyX]A\gXIڙFX<ٰ޳s+o=Љe;5]g0^7϶p2$82epCikZK 0Dq] XǢȖWqTR:!; /D?8 ci,;bcXJ ,ozԛ'TS*4.v>Ͻn̯]2xDh\N"X=Ðy6#xL 2kV*wN㛼VtƦI:1qzr.{aT셳Qbm٦dTi29J{) qŕ˕4>!f07Nw6̈́ В^&Ůvbe}%L?O(